Is it possible to assign the IP address of same segment (172.17.8.0/24) to both interface (inside, outside). NATting is not used in this router.
The router is used as a Firewall to filter out the traffic according the ACL and just forward the traffic to ISP router.
Is this setup possible? If possible what is the draw back on this setup and will I face any problem in future?
If not possible, how to implement it in another way with using same segment IP address?
Attached diagram with more details.
If you are routing you cant have the same network on two interfaces.
You would need to look at deploying your router / firewall in a transparent mode. I.e. it is just a drop in at layer 2.
This depends on what hw and sw you are running though. Couldnt open the attachment. What are you running?
Well you may need a router which is transparently bridging and acting as a firewall. You can use IRB and then turn on the CBAC on the router
This link should help you.
Thank you very much for reply.
I have tested the Transparent IOS Firewall and it works great.
As of now I have tested with icmp only.
The BVI1 is configured for remote access to the router for applying ACL and to monitor the router.
I have attached the test config and diagram.
Can you please check the config and see if I am missing any thing or some of the setups, which will not work in real environment.
Well it looks fine to me however i myself havent worked a lot on this. I think the best thing would be to test in the network and see if it works.
I tested the Transparent IOS Firewall with other applications it is working well.
But first I faced little problem, initially I disabled the IP CEF and IP ROUTING and tested the Internet traffic, I was able to access the web sites, but after some time the router crashes and reloads and gives bus error messages.
Then I enabled the IP CEF and IP ROUTING and tested the Internet traffic; there was no problem with router and every thing worked fine.
Does ASA 5500 series Adaptive Security Appliance supports the Transparent Firewall?
Sure... Please follow the link below:
BTW, I'm impressed and glad to see the IOS Transparent Firewall, I only thought that ASA / PIX is having Transparent Firewalls.
I implemented the transparent firewall and it worked well.
But I faced problem in our backup line.
When our main line goes down, the ISP router re-routes the traffic to backup router.
The ping test from client to server in H.O worked perfectly thru backupline.
But the applications are not working.
The current setup is, the ISP router lan cable is directly connected to Transparent firewall interface (outside/wan side).
Transparent firewall interface (inside/lan side) is connected to L3 switch.
Backup line lan interface is connected to L3switch.
L3 switch default gateway is ISP router lan interface ip address.
All client pc`s default gateway is L# switch.
So when the main ISP line (wan) goes down, ISP router re-routes to backup line, as the application packets from client pc passes thru transparent firewall and ISP router forwards it to backup router.
But in transparent firewall, the sessions are already there and when the same packet enters the transparent firewall from wan side interface, I think it drops/blocks the packets.
Is it correct?
How to rectify this problem?
Is it OK if the backup router lan interface is shifted in-between to ISP router and transparent firewall, connecting all the three with a hub?